ERM Presentation

Enterprise Risk Management The rising importance of ERM and the Information Security Practice Harry Contreras – CISSP/6Sigma IT Security Manager – at a Fortune 500 company

Industry Observations *Forecast slowdown for IT spending Interlocking IT security spending with identified business priorities Changing regulatory landscape for businesses Business threat environment expands Rising interest in simplifying security management What is driving ERM? Aligning security solutions to business problems * Forrester Research, Inc.

Internal Influences Impact to the business operations Analysis of overall IT risk situation Prioritization of IT risk mitigating actions Managed approach to enterprise investment External Influences Observation of Best Effort/Practice applied Requirements are legislated or industry regs How outsiders will assess business operations Managing Enterprise Risks What is driving ERM adoption today?

The Definition of ERM Enterprise Risk Management Risk management is fundamental to management The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has presented the definition that has been widely referenced and accepted. Enterprise Risk Management is a process affected by an entity’s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity. It provides a framework to manage risk according to the organization’s appetite and offers reasonable assurance regarding the achievement of its objectives. 1 1 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management – Integrated Framework: Executive Summary , 2004

External Observers IT Audit practices Compliance assessment organizations *Standard & Poor’s (S&P) Enterprise Risk Management (ERM) Analysis for Credit Ratings of Non-Financial Companies Managing Enterprise Risks Who is watching for this activity? *Request for Comment (November, 2007) S&P has proposed a rating criteria for this ERM assessment approach.

Definitions - what are we dealing with here? Risks, Threats and Vulnerability Not all threats pose the same level of risk. Risk (noun) – Possibility of loss or injury. Someone or something that creates or suggests a hazard. The chance that an investment will lose value. Threat (noun) – An expression of intention to inflict evil, injury or damage. An indication of something impending. Vulnerability (noun) – Is a state or defect of situation or an asset that could be exploited to create loss or harm. Operational Risk (OR) – The Basel Committee on Banking Supervision defines OR as "the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.“ 1 Examples of OR include: fraud either by external parties or employees; workplace safety and employment practices; client, product and business practices; damage to physical assets; business disruption and system failures; and losses from failed transaction processing or from trade with vendors.

Limiting the Scope What are Enterprise Business Risks? Economic risks – Oil prices/energy, supply interruptions. US current account deficit or fall in US$. Fiscal crises caused by demographic shift. Asset prices rise, excessive indebtedness. Environmental risks – Climate changes. Loss of freshwater services. Natural catastrophes, tropical storms, Earthquakes or inland flooding. Geopolitical risks – International terrorism, Interstate or civil wars. Instability of failed or failing states. Transnational crime. Societal risks – Pandemics, infectious diseases in the developing world. Chronic diseases in the developed world. Liability regimes. Technical risks – Breakdown of critical information infrastructure (CII). Emergence of risks identified in technologies implemented as products, services, or processes within the enterprise. Global or Macro Level Risks

Interpreting Business Risk Where does IT Risk come from? Marketplace – Where a company operates will shape its business environment including political, regulatory, market forces and any labor conditions it faces. Financial model – How a company structures its financial strategy will shape its risk tolerance for the changing money market conditions it faces. Operational Model – How a company chooses to define the way it operates will determine how it functions and business units work together. Organizational Model – How a company is organized to deploy, develop and retain its people for continuity of internal services. “ Volatility” is the catalyst for risk – The condition where things can change rapidly, dramatically, and sometimes unexpectedly. Risks impact the business across multiple enterprise structures

Limiting the Scope What falls within IT Risk Issues? Operational - Risks arising from internal business operations that are generally mitigated through internal controls or processes. Hazard – Risks arising from adverse events that result in property damage and liabilities. Some of these are generally insurable. Strategic – Risks arising from external competition, market environment, and regulatory events that can damage or enhance a company’s growth track and shareholder valuation. Financial – Risks arising from fluctuations in financial market prices that generally are hedged using financial instruments. Human Capital – Risks arising from challenges to personnel, leadership and systems used to attract, develop motivate and retain the resource labor pool. The information security triad of Confidentiality, Integrity and Availability directly map to the aforementioned areas of risk .

Interpreting Business Risk Who and How to make the determinations Business Risk Assessment Engage key stakeholders in the following: Conduct a facilitated risk assessment workshop Review and assess “in-scope” risk environments Assess Operational, Hazard, Strategic, Financial risks Compile inventory of identified risks Develop summary of results report Quantification, Business Impact Scoring Correlate solution costs to targeted risks Prioritization and Assignment of actions

Aspects of Quantifying Risk To understand which risks matter. Review the following risk considerations: Risk realization – Real vs. Perceived Risk Addressing the FUD factor (Fear, Uncertainty and Doubt) Has this risk been realized in the past? Can costs for this risk be quantified? Is it repeatable and preventable? Burden of Risk – associated material and immaterial costs Risk validation What is the decision tipping point for consideration of this risk?

The Classic Risk Formulations Interpreting risk and communicating decision actions. Risk = Loss X Threat X Frequency Loss is the economic value of lost revenue due to a security issue Threat is the likelihood (as a probability) that an event would happen Frequency is how often such an event would happen Threat X Vulnerability = Risk This still expresses validity today There are many variations on this theme More importantly is how to apply this to your organization’s ERM Program consistently and with the concurrence of the business

Risk Ranking Ranking Risk - Likelihood and Impact Associating Risk to Action Imperatives. Axis 1 - Likelihood Axis 2 – Business Impact An *industry example of a risk assessment matrix for ranking risk. *Marsh Risk Consulting Practice - Operational Risk Focus

What to do with Identified IT Risks Options for handling IT Risks Burying you head in the sand – not an option. Accept or Retain the identified risk. The risk is unlikely or impact does not warrant any further action, the company simply decides to bear any recovery costs. Avoid or Reject the risk. When costs of likelihood of the risk are great, it is not feasible to continue in that area of activity – product, process or geography. Transfer or Share the risk. When risk is part of the business operation and cost is predictable then the company may elect to insure, warranty or contract (outsource). Mitigate or Reduce the risk. The identified risk(s) are core to the business and the implementation of controls are applied to reduce likelihood and impact to the business. Ignore the risk. A identified option of choice to consciously do nothing. It carries with it the potential for catastrophic business impact and serious legal repercussions.

Analyzing IT Risk Evaluation of Impact to Assets ERM Analysis Process: Asset identification Asset valuation Threat and vulnerability identification Control identification Determination of likelihood for the threats Asset impact on the InfoSec CIA triad Risk determination Control recommendation

Enterprise Businesses Today A continuous “target rich” environment ERM Analysis: The What, When, Why, How and Who What = Identify risks to the business When = Prioritize actions Why = Cost justification How = Solution/Mitigation approach Who = Assign actions to carry out

Approaches to IT Risk Management How can this be accomplished? Industry Approaches Today The traditional “Delphi Method” Developing a matrix of identified risks and attributes Six Sigma – Failure Modes Effects Analysis Microsoft-The Security Risk Management Guide ISO 17799/2005 InfoSec Practice Guideline ISO/IEC TR 13335-5 InfoSec Management Spec Information Security Forum (ISF) Information Risk Reference Guide - IRRG

High Security in a perfect world. Minimal security defenses needed to defend from outsiders . Security in the real world . Maximum security defenses needed to defend from outsiders and insiders . Direct Risk Mitigation (Result) Indirect Risk Mitigation (Result) Residual Risk (Acceptable) Direct Risk Mitigation (Result) Indirect Risk Mitigation (Result) Residual Risk (Acceptable) Investment Investment Low Illustration of Risk Mitigation Relationship to Defense Efforts and Results Risk Modeling to Security “Buy-Down” Concept The Business Security Umbrella Model - Risk Scale to Security Spend. ©

Objectives Justified business cost to address IT Risks Mitigation through proportioned budget spend Deriving a measurable IT Risk Index Goals Timing and right-sizing of IT spend allocations InfoSec efforts & investments aligned with business problem solutions Business Goals and Objective The overall business deliverable

Aligning IT Risks to Business Problems Applying Secure and Compliant solutions Critical Success Factors: Did you close the deal? Is it going to be funded? Will the solution fit the business model? Does business leadership support it? Can metrics be derived? Were you successful in assigning actions?

A Never Ending Process Annual “Best Practice” Activity As companies embrace ERM approaches and Practice this activity at least annually, then they should observe an improving risk index year over year. This activity raises awareness corporately on the risk tolerance state of the enterprise. Institutionalizing a successful and repeatable InfoSec process to protect the enterprise.

“ Security as an Ecosystem*” - Why less is Best - Whether solutions are products or processes; Procurement issues/costs Integration issues/costs Implementation issues/costs Operations issues/costs Support issues/costs Lifecycle of business Capex and Opex to sustain solutions from turn-up to retirement *Quotation taken from published InfoSec industry article

An *editorial note by Dr. Cole; Security will always be a challenge since threats and vulnerabilities are always changing. The key task for security managers is to make sure that, based on your limited budget, you are focusing in on the correct items. In spending any money on security you should always ask three questions: what is the risk I am reducing; is it the highest priority risk; and is it the most cost effective way to reduce the risk? * Dr. Cole prepared this commentary for the SANS NewsBites Vol.10 Num. 23 – March 21, 2008. IT Security Practitioner - *Commentary Dr. Eric Cole – SANS, Author & Fellow

IT Security Practitioner - *Commentary Marcus Sachs – Director, SANS ISC “ Security is about risk management.” “ There’s no way to patch every vulnerability, so which ones do you go after? One good approach is [to look at] which ones the threats are most likely to go after.” “ There is no such thing as perfect security. Just try to manage it to get to some acceptable level of risk that you are willing to live with.” * Information Security Magazine, February, 2008

All risks cannot be mitigated out of existence. With effective risk identification, assessment and mitigation approaches, businesses can benefits from the following outcomes. Competitive advantage Security Efficiency Resilience Confidence “ There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.” John F. Kennedy Presentation Summary

Presentation Conclusion Question and Answers This material copyrighted – 2008.

Information Security Forum (ISF) – Information Risk Reference Guide – IRRG May, 2006 www.securityforum.org Available to companies participating in the international ISF organization. Microsoft – Security Risk Management Guide v1.2 March 15, 2006 Microsoft Corporation. All rights reserved. Download and On-line Locations for the Security Risk Management Guide - Download Center: http:// go.microsoft.com/fwlink/?linkid =32050 - TechNet online: http:// go.microsoft.com/fwlink/?linkid =30794 ISO/IEC17799/2005 - Information Security Standard - ISO/IEC 13335-3 Guidelines for the Management of IT Security http://www.iso.org/iso/home.htm The Burton Group – In Depth Research Overview / Directory and Security Strategies Risk Aggregation: The unintended consequence. April, 2004 www.burtongroup.com Information Security Audit & Controls Association (ISACA) – In Depth Research Overview The Convergence of Physical and Information Security in the Context of Enterprise Risk Management 2007 http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID =36010 Marsh – Risk Consulting Practice – Risk Focus - A Closer Look: Establishing an effective Operational Risk Management Program © 2004, Marsh, Inc. www.global.marsh.com http://www.marshriskconsulting.com/st/PSEV_C_360_NR_302.htm ERM Presentation Hand-Out How to obtain additional information?

ERM Presentation

More Related Content

What's hot(20)

Viewers also liked(7)

Similar to ERM Presentation(20)

Recently uploaded(20)

ERM Presentation

Editor's Notes